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@ Method for providing user access control within a distributed data processing system by the 
exchange of access control profiles. 

isT) A method is disclosed for providing user access control for a plurality of resource objects within a 
distributed data processing system having a plurality of resource managers. A reference monitor service 
is established and a plurality of access control profiles are stored therein. Thereafter, selected access 
control profDes are exchanged between the reference monitor service and a resource manager in 
response to an attempted access (82) of a particular resource object controlled by that resource 
manager. The resource manager may then control access to the resource object by ufflizing the 
exchanged access control profile (86-98). In a preferred embodiment of the present invention, each 
access control profile may include access control information relating to a selected user; a selected 
resource object; a selected group of user; a selected set of resource objects; or. a predetennined set 
of resource objects and a selected group of users. 
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METHOD FOR PROVIDING USER ACCESS CONTROL WITHIN A DISTRIBUTED DATA PROCESSING 
SYSTEM BY THE EXCHANGE OF ACCESS CONTROL PROFILES 



The present invention relates to data processing . 
systems in general and in particular to Improved 
methods of providing access control for a plurality of 
resource objects within a distributed data processing 
system. Still more particularly, the present invention s 
relates to a system which permits the rapid and effi- 
cient Interchange of access control information 
throughout a distributed data processing system. 

Security and access control systems In computer 
based data processing systems are well known in the io 
prior art Existing access control systems are gener- 
ally oriented to a single host system. Such single host 
access control systems are generally utilized to pro- 
vide security for the host and access control to appli- 
cations and system resources, such as files. Each is 
application must generally provide access control for 
the resources controlled by that application. 

One example of an access control system desig- 
ned for utilization with the IBM 370 system is a product 
called RACF, or Resource Assets Control Facility. 20 
RACF offers access control for applications, such as 
files or CICS transactions and is hierarchically orien- 
ted in access authority levels and grouping of users. 
RACF is a "password" oriented access control system 
and access is granted or denied based upon a user's 25 
individual identity and his or her knowledge of an 
appropriate password to verify that identity. The 
RACF system is, however, oriented to a single host 
system and cannot be employed In a distributed data 
processing system which employs multiple hosts so 
associated with separate groups of resource objects, 
due to the fact that this system does not allow the 
interchange of access control information firom one 
host to another. 

Another example of known access control sys- 35 
tems is AS/400. The AS/400 system is a capability 
based system in which security is based upon each 
individual resource object Each user is authorized to 
access individual resource objects based upon the 
user's capability within the system. The AS/400 sys- 40 
tern rnaintains security by keeping User Profiles, 
Object Authority, and System Values within the 
architecture of the nr^achine itself. As above, this sys- 
tem is highly efficient at controlling access to resource 
objects controlled by a single host ; however, access 45 
to resource objects located within a distributed data 
processing system containing multiple hosts cannot 
be controlled. That, is, access to a resource object 
controlled by one host cannot be obtained by a user 
enrolled at a second host so 

One other example of an access control system 
is the DB2 product This product permits a more flexi- 
bte access control and offers granular or bundled 
access control authority. For example, the DB2 sys- 



tem may utOize special authorities for administration 
or database operations. Further, access privilege may 
be bundled into a specrfted authority or role so that a 
user may access specific resource objeds based 
upon the user's title or authority level, ratherthan the 
user's personal identity. However, as above, the DB2 
system does not possess the capability of exchanging 
access control information with non-DB2 applications. 

Therefore, it should be obvious that a need exists 
for a method of providing access control In a distri- 
buted data processing system whereby access to 
selected resource objects may be controlled through- 
out the distributed data processing system by means 
of the exchange of access control infbnmation 
throughout the system. 

It is therefore one object of the present Invention 
to provide an improved data processing system. 

It is another object of the present invention to pro- 
vide an improved method of providing access control 
for a plurality of resource objects within a distributed 
data processing system. 

It is yet another object of the present inventton to 
provide an Improved method of providing access con- 
trol for a plurality of resource objects within a distri- 
buted data processing system which pemrttts the rapkj 
and efficient Interchange of access control Infor- 
mation throughout a distributed data processing sys- 
tem. 

The foregoing objects are achieved as Is now 
described. The method of the present inventton may 
be utilized to provide user access control for a plurali^ 
of resource objects v^in a distributed data proces- 
sing system having a plurality of resource managers. 
A reference monitor service is established and a 
plurality of access control profiles are stored therein. 
Thereafter, selected access contrd profiles are 
exchanged between the reference monitor service 
and a resource manager in response to an attempted 
access of a particular resource object controlled by 
that resource manager. The resource rr^anager may 
then control access to the resource object by utDizing 
the exchanged access control profSe. In a preferred 
embodiment of the present inventfon. each access 
control profile may Include access control Infomration 
relating to a selec^d user; a selected resource 
object ; a selected group of users ; a selected set of 
resource objects ; or, a predetermined set of resource 
objects and a selected list of users each authorized to 
access at least a portion of said predetennined set of 
resource bjects. 

The novel features believed characteristic of the 
invention are set forth in the appended daims. The 
invention itself however, as well as a preferred mode 
of use, further objecis and advantages thereof, will 
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best be understood by reference to the following 
detailed description of an illustrative enrtbodtment 
when read in conjunction with the accompanying 5 
drawings, wherein : 

Rgure 1 depicts a pictorial representation of a dis- 
tributed data processing system which may be 
utilized to ^plement the method of the present 
. invention ; io 
Figure 2 depicts In block diagram form the access 
control system utilized with the method of the pre- 
sent invention; 

Rgure 3 is a high level flow chart depicting the 
establishnrant of an access control system in is 
accordance with the method of the present inven- 
tion ; and 

Figure 4 is a high level flow chart depicting access 
to a resource object in accordance with the 
method of the present invention. 20 
With reference now to the figures, and in particu- 
lar with reference to Figure 1 , there is depicted a pic- 
torial representation of a data processing system 8 
which may be utilized to implement the method of the 
present invention. As may be seen, data pnscessing 2S 
system 8 may include a plurality of networks, such as 
Local Area Netwoiks (LAN) 10 and 32, each of which 
preferably includes a plurality of indivkiual computers 
12 and 30, respectively. Of course, those skilled In the 
art win appreciate that a plurality of Interactive Work 30 
Stations (IWS) coupled to a host processor may be 
utilized for each such network. 

As is common in such data processing systems, 
each individual computer may be coupled to a storage 
device 14 and/or a printer/output device 16. One or 35 
more such storage devices 14 may be utilized, In 
accordance with the method of the present invention, 
to store applk:atk)ns or resource objects which may 
be periodically accessed by any user within data pro- 
cessing system 8. In a n^nner well known in the prior 40 
art each such applk:atk)n or resource object stored 
within a storage device 14 is associated with a 
Resource Manager, which is responsible for maintain- 
ing and updating all resource objects associated 
therewth. 4S 

Still refening to Rgure 1 , it may be seen that data 
processing network 8 may also include multiple main 
frame computers, such as main frame computer 18, 
which may be preferably coupled to Local Area Net- 
work (LAN) 1 0 by means of communications link 22. so 
Main frame computer 18 may also be coupled to a 
storage device 20 which may serve as remote storage 
for Local Area Networic (LAN) 10 . Similarly, Local 
Area Network (LAN) 1 0 may be coupled via communl- 
cattons link 24 through a subsystem control 65 
unit/communlcations controller 26 and communi- 
cations link 34 to a gateway server 28. Gateway ser- 
ver 28 is preferably an individual computer or 
Interactive Work Station (IWS) which serves to link 
Local Area Networic (LAN) 32 to Local Area Networic 



(LAN) 10. 

As discussed above with respect to L^cal Area 
Networic (LAN) 32 and Local Area Networic (LAN) 10. 
resource object may be stored within storage device 
20 and controlled by main frame computer 18, as 
resource manager for the resource objects thus 
stored. Of course, those skilled in the art wilt 
appreciate that main frame computer 18 may be 
located a great geographic distance from Local Area 
Networic (LAN) 10 and similariy Local Area Networic 
(LAN) 10 may be located a substantial distance from 
Local Area Networic (LAN) 32. That is. Local Area Net- 
work (LAN) 32 may be located In California while 
Local Area Network (LAN) 10 may be located within 
Texas and main frame computer 18 may be located 
in New York. 

In known prior art systems of this type, should the 
user of an individual computer 30 desire to access a 
resource object stored within storage device 20, 
associated with main frame computer 18, it will be 
necessary for the user of cxsmputer 30 to be enrolled 
witi^In the security system of main frame computer 1 8. 
This is necessary In order for the user of computer 30 
to present the proper password to obtain access to the 
desired resource object Of course, those skilled in 
the art will appreciate tiiat this technique wilt prove 
ungainly in distributed data processing systems, such 
as data processing system 8 depicted within Figure 1. 

Referring now to Figure 2, there Is depicted in 
block diagram fonm the access control system which 
Is utilized with the method of the present invention. As 
is depicted, Local Area Networks (LAN) 1 0 and 32 are 
illustrated by dashed lines as is main frame computer 
18. In each instance resourc:e objects 42, 48 and 54 
are illustrated In association vin'th each portion of dis- 
tributed data processing system 8 of Figure 1. Of 
course, each object thus Illustrated will be stored 
within one or more storage devices associated with 
each portion of data processing system 8. As is Olus- 
b^ted. Local Area Network 10 includes a resource 
manager 40 which may be one or more individual 
computers which are utilized to manage selected 
resource objects. Also established within Local Area 
Networic 10 is a Reference Monitor 44. Reference 
Monitor 44, in accordance with the method of the pre- 
sent Invention, is an application or service which is 
utilized to store access control profiles which may 
include access control information relating to : selec- 
ted users ; selected resource objects ; a selected 
group of users ; a selected set of resource objects ; 
or, a predetennined set of resource objects and a 
selected list of us rs, each authorized to access at 
least a portion of ^id predetennined set of resource 
objects. 

Still refening to Figure 2, it may be seen that 
within Local Area Network (LAN) 33 a resource man- 
ager 46 is illustrated, which is utOized, in a manner 
well known in the art, to control access to resource 
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object 48. Similarly, a Referenc Monitor 50 is 
established within L cal Area Network (LAN) 3Z 
Reference Monitor 50 Is, as described above, pref r- 
ably utilized to store access control profiles relating to 
individual users within Local Area Network 32 as well 
as resource objects stored within Local Area Network 
32. 

Rnally, main frame computer 18 is illustrated as 
Including a . resource manager 52 which has 
associated therewith one or more resource objects 
64. 

In accordance with an important feature of the 
present Inventionp any attempted access of a 
resource object, such as resource object 42, 48 or 54 
will automatically result in a query by the associated 
resource manager to one or more Reference Monitor 
applications to determine whether or not the access 
requested will be pennnitted. It should be noted that, in 
accordance with the depicted embodiment of the pre- 
sent invention, only one Reference Monitor appli- 
cation is required for data processing system 8 ; 
however, two are illustrated, In accordance with the 
method of the present invention, communications 
links between a single Reference Monitor application 
may be established with each and every resource 
manager within data processing system 8 (see Figure 
1) so that access to selected resource objects may be 
controlled in accordance with the access control infor- 
mation stored within the profiles within that Reference 
Monitor. 

In this manner, a user within Local Area Network 
(LAN) 32 may, via the communications links depicted 
within Rgure 1, request access to a resource object 
54 associated wi^ main frame computer 1 8. As wHI be 
explained in greater detail herein, resource manager 
52 will then query Reference Monitor 44 and/or Refer- 
ence Monitor 50 to determine whether or not a profile 
exists which permits the requested access. If so, the 
profile information is exchanged between the approp- 
riate Reference Monitor and resource manager 52 
and access to resource object 54 may be pennitted. 

With reference now to Figure 3, there is depicted 
a high level flow chart illustrating the establishment of 
an access control system in accordance vWth the 
method of the present invention. As is Illustrated, the 
process begins at blodc 60 and thereafter passes to 
block 62, which depicts the defining of an access con- 
trol profOe for an object or group of objects, by the 
associated resource manager. Thereafter, block 64 
Illustrates the storing of that profile within a Reference 
Monitor application. Next, block 66 illustrates a deter- 
mination of whether or not additional objects require 
an access control profile to be established and if so, 
th process returns to block 62 and continues there- 
after in an iterative fashion. 

In the vent no additi nal resource objects 
require access control profSes, the process passes to 
block 68 whi(^ illustrates the establishment by an 



associated resource manager of an access control 
profil for one or more users within the distributed 

5 data processing system. Thereafter, block 70 Qlus- 
trates the storing of th access control profil thus 
created in an associated Reference Monitor appli- 
cation. Block 72 next detemnines whether not 
additional users virithin the data processing system 

io require access control profiles to be created. If so, as 
above, the process returns to blodc 68 to define tiie 
additional profiles. In the event no additional users 
require access control profiles, then the process ter- 
' minates, as fliustrated in block 74. Of course, those 

IS skilled in tiie art will appreciate that In this manner It 
will be possible to create various access control pro- 
files which contain access control information relating 
to a single resource object, a group of resource 
objects, an individual user, a group of users, or, a pre- 

20 detenmined set of resource objects and a selected 
group of users. 

Rnally, referring to Figure 4, tiiere Is depicted a 
high level flow chart depicting access to a resource 
object in accordance witii the method of the present 

25 invention- As is illustrated, the process begins at block 
80 and tiiereafter passes to block 82 which illustrates 
the receipt by a resource manager of an access 
request for a resource object witiiin that resource 
manager's purview. Next, the process passes to block 

30 84 which illustrates the query of the nearest Refer- 
ence Monitor application to detenmine whether or not 
an access control profile exists for the resource object 
or user in question. 

Block 86 next depicts a determination of whether 

35 or not the appropriate access control profile is defined 
locally and if so, block 88 illusb^tes a determination 
of whether or not access to the specific resource 
object is pennitted. This determination Is, as those 
skilled in the art will appreciate, simply a matter of 

40 comparing the defined access control profile witii the 
parameters of the resource object and the user in 
question. Thereafter, as illustrated in block 90. if the 
determination of block 88 so permits, access to the 
resource object is provided and the process tenml- 

45 nates, as depicted in block 92. 

Returning to block 86, in the event an access con- 
trol profile is not defined locally, then block 94 Olus- 
trates a detennination of whetiier or not an 
appropriate access control profile is defined any- 

50 where witiiin tfie systent If so, blodc 96 depicts the 
retrieval of that profile and the process then returns to 
block 88 for a determination of whetiier or not access 
to the selected resource object Is permitted. Thereaf- 
ter, if access is pemnitted. the process passes to block 

55 90 which illustrates the accessing of tfie resource 
object and th subsequenttermination of the process. 

In the ventth access control profil required is 
not defined anywhere witiiin data processing system 
8, (se Figure 1) or access to th desired resource 
object Is not permitted, as fliustrated by the detenni- 
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nation within block 88, then block 98 depicts the denial 
of access to the requested resource object with an 
appropriate message to th requester. 

Upon reference to the foregoing, those skilled in 
the art wiQ appreciate that by utilizing one or more 
Reference Monitor applications within a distributed 
data processing system, each containing one or more 
access control profiles relating to resource objects or 
users, it will be possible to control access to a plurality 
of resource objects located within various subsec- 
tions of a distritxited data processing system, without 
requiring each individual user within the distributed 
data processing system 8 to enroll with each resource 
manager located at every point within the system. By 
permitting the rapid and efficient interchange of 
access control profiles containing access control 
information throughout the system, necessary access 
control decisions are made at a limited number of 
locations and the process Is greatly enhanced in 
terms of efficiency. 



Claims 

1. A method of providing user access control for a 
plurality of resource objects within a distributed 
data processing system having a plurality of 
resource managers associated with said plurality 
of resource objects, said method comprising the 
steps of: 

storing a plurality of access control profiles 
within a reference monitor service (64) ; 

exchanging a selected access control pro- 
file between said reference monitor service and a 
selected resource manager tn response to an 
attempted access of a particular resource object 
(82) ; and 

utilizing said resource manager to control 
access to said particular resource object in 
accordance witii said selected access control 
profile (90, 98). 

2. The method according to Claim 1 wherein selec- 
ted ones of saki plurality of access control profiles 
each include access control infonmation relating 
to a selected user. 

3. The method according to Claim 1 wherein selec- 
ted ones of sakj plurality of access control profiles 
each include access control infonration relating 
to a selected resource object 

4. The metiiod according to Claim 1 wherein selec- 
ted ones of saki plurality of access control profiles 
each include access control information relating 
to a selected group of users. 

5. The method according to Claim 1 wherein selec- 



ted ones of said plurality of access control profiles 
each include access control information relating 
5 to a selected set of resource objects. 

6. The mettiod according to Claim 1 wherein selec- 
ted ones of said plurality of access controlprofQes 
each include access control infonmat'on relating 
10 to a predetenmined set of resource objects and a 
selected list of users each authorized to access 
at least a portion of said predetennined set of 
resource objects. 

15 7. A metiiod of providing user access control for a 
plurality of resource objects within a distributed 
data processing system having a plurality of 
resource managers associated v/ith said plurality 
of resource objects, said method comprising the 

20 steps of : 

establishing a reference monitor service 
within said distributed data processing system ; 

storing a plurality of access control profiles 
within said reference monitor service ; 

25 exchanging a selected access control pro- 

file between said reference monitor service and a 
selected resource manager In response to an 
attempted access of a particular resource object; 
and 

30 utilizing said resource manager to control 

access to said particular resource object in 
accordance witii said selected access control 
profile. 

35 8. The metiiod according to Claim 7 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control infomnation relating 
to a selected user. 

40 9. The metfiod according to Claim 7 wherein selec- 
ted onesof said plurality of accesscontrol profDes 
each include access control information relating 
to a selected resource object 

45 10. The metiiod according to Claim 7 wherein selec- 
ted onesof said plurality of accesscontrol profDes 
each include access control Infonmation relating 
to a selected group of users. 

50 11. The metfiod according to Claim 7 wherein selec- 
ted onesof said plurality of access control profDes 
each Include access control infonmation relating 
to a selected set of resource objects. 

55 
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